Penetration Testing mailing list archives
RE: pushing exploits through the Firewall
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Tue, 14 Feb 2006 12:12:23 -0600
Mike, So what I think you may be getting at is one of two things: 1. Most BIND exploits are TCP-based, and most sharp firewalls admins allow only UDP. In this case, no dice. Three or four years ago there was a UDP based exploit for BIND, some vuln in recursion I think...anyway go Google. :) 2. Some of the BIND exploits were attacked via overflow in the protocol headers, so if you are facing a firewall that does some protocol validation, and DNS is a common/easy one to do, then you exploit may be blocked over TCP by a protocol validator that sees a non-RFC compliant/sized header. 3. There's lots of third options that may or may not be viable. Look for a proxy with CONNECT method enabled to the outside world, and shove a TCP connection to the BIND server through their proxy, or Citrix box, or anything else you can find open. -ae
-----Original Message----- From: Julian Totzek [mailto:julian.totzek () bristol de] Sent: Monday, February 13, 2006 2:32 PM To: Mike Gilligan; pen-test () securityfocus com Subject: AW: pushing exploits through the FirewallHi group Say a pentester manages to discover a vulnerable version of BINDrunningon an external DNS server and has successfully sourced anexploit for thevuln. I'm curious how it would be possible to launch the exploitagainst theserver when a packet filtering device and statefulinspection Firewall sitbetween the pentester and the vuln host. It would seem atfirst glancethat this is not a viable option. How else might one go about exploitingthevuln?Hi Mike, remember, a firewall is mostly controlling the entrance but not the application itself. So if there is a exploit running on port UDP 53 the firewall will let it pass, cause it only knows port 53 UDP is legitimate traffic. Sometimes there are some kind of filter enabled in firewalls which will block these exploits, but normally there is nothing ;-) So just go for it and try it :-) -------------------------------------------------------------- ---------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------- -----------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- pushing exploits through the Firewall Mike Gilligan (Feb 12)
- RE: pushing exploits through the Firewall Enrique A. Sanchez Montellano (Feb 12)
- <Possible follow-ups>
- RE: pushing exploits through the Firewall c . ehlen (Feb 15)
- RE: pushing exploits through the Firewall Evans, Arian (Feb 15)